Malicious RTF — malware analysis report

Static analysis result for SHA-256 5a01c25a9d82aba8…

MALICIOUS

RTF

23.4 KB
MD5: f847ce043bc119d60f51f4997930979b SHA-1: 1dc885296ae87ccb5c880913dfe112dcb5e9b9c1 SHA-256: 5a01c25a9d82aba8adbbeffeb4d1752678c9232e817e56474fbd7ccb4b6ded2e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains multiple heuristics indicating the exploitation of OLE object linking and activation. Specifically, RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE suggest that embedded OLE objects are present and designed to be automatically activated. This mechanism is commonly used to download and execute secondary payloads, making the document a likely delivery vehicle for further malicious activity.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a2a.bin
e5d8eacf509cb2a9afa7a59de620ec4d24d7c5fc57f32128ab6eee4a11d7687f		 rtf-objdata-decoded RTF \objdata at offset 0x1A2A 3667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.